Hi, > > This problem has apparently been all over the internet for years, so I > > don't think it's an unintentional bug by Microsoft. > > https://answers.microsoft.com/en-us/msoffice/forum/all/routing-to-exchange-online-results-in-spf-softfail/367e14ac-a3ce-46a2-8949-ffbc8f66edc7 > > If you're the primary MX operator for your own domain, and forwarding to > Microsoft for actual mailbox hosting, your forwarding arrangement to > Microsoft should be via some dedicated authenticated (or at least IP- > restricted) channel, where Microsoft does not apply any SPF or DKIM > checks, they should trust your server as authorised to forward mail > into your users' mailboxes. > > Just relaying externally originated content to their public port 25 > service is not a good idea.
Yes, I have set up a mail filter to bypass restrictions for my IPs, but after having read a bit more, I believe it's not possible to bypass SPF checks - it apparently is only a soft fail and not rejected. However, after reading your message, I disabled the mail filter, and it resulted in a soft fail anyway, effectively just accepting mail from my postfix server without any restrictions anyway. Obviously not best practice, so I'll continue to investigate. > You're barking up the wrong tree... SPF is key of the envelope > sender, which isn't your domain. The real problem is not failing > SPF, it is sending to Microsoft in a manner than has them doing > any SPF or DKIM checks at all. Yes, makes sense. All indications are that a mail filter can be used to bypass the SPF checks, but I'm going to research further. Would this be a use-case for SRS? Thanks, as always. Alex
